DTD prohibited in xml document exception

by

First, some background.

What is a DTD?

The document you are trying to parse contains a document type declaration; if you look at the document, you will find near the beginning a sequence of characters beginning with <!DOCTYPE and ending with the corresponding >. Such a declaration allows an XML processor to validate the document against a set of declarations which specify a set of elements and attributes and constrain what values or contents they can have.

Since entities are also declared in DTDs, a DTD allows a processor to know how to expand references to entities. (The entity pubdate might be defined to contain the publication date of a document, like “15 December 2012”, and referred to several times in the document as &pubdate; — since the actual date is given only once, in the entity declaration, this usage makes it easier to keep the various references to publication date in the document consistent with each other.)

What does a DTD mean?

The document type declaration has a purely declarative meaning: a schema for this document type, in the syntax defined in the XML spec, can be found at such and such a location.

Some software written by people with a weak grasp of XML fundamentals suffers from an elementary confusion about the meaning of the declaration; it assumes that the meaning of the document type declaration is not declarative (a schema is over there) but imperative (please validate this document). The parser you are using appears to be such a parser; it assumes that by handing it an XML document that has a document type declaration, you have requested a certain kind of processing. Its authors might benefit from a remedial course on how to accept run-time parameters from the user. (You see how hard it is for some people to understand declarative semantics: even the creators of some XML parsers sometimes fail to understand them and slip into imperative thinking instead. Sigh.)

What are these ‘security reasons’ they are talking about?

Some security-minded people have decided that DTD processing (validation, or entity expansion without validation) constitutes a security risk. Using entity expansion, it’s easy to make a very small XML data stream which expands, when all entities are fully expanded, into a very large document. Search for information on what is called the “billion laughs attack” if you want to read more.

One obvious way to protect against the billion laughs attack is for those who invoke a parser on user-supplied or untrusted data to invoke the parser in an environment which limits the amount of memory or time the parsing process is allowed to consume. Such resource limits have been standard parts of operating systems since the mid-1960s. For reasons that remain obscure to me, however, some security-minded people believe that the correct answer is to run parsers on untrusted input without resource limits, in the apparent belief that this is safe as long as you make it impossible to validate the input against an agreed schema.

This is why your system is telling you that your data has a security issue.

To some people, the idea that DTDs are a security risk sounds more like paranoia than good sense, but I don’t believe they are correct. Remember (a) that a healthy paranoia is what security experts need in life, and (b) that anyone really interested in security would insist on the resource limits in any case — in the presence of resource limits on the parsing process, DTDs are harmless. The banning of DTDs is not paranoia but fetishism.

Now, with that background out of the way …

How do you fix the problem?

The best solution is to complain bitterly to your vendor that they have been suckered by an old wive’s tale about XML security, and tell them that if they care about security they should do a rational security analysis instead of prohibiting DTDs.

Meanwhile, as the message suggests, you can “set the ProhibitDtd property on XmlReaderSettings to false and pass the settings into XmlReader.Create method.” If the input is in fact untrusted, you might also look into ways of giving the process appropriate resource limits.

And as a fallback (I do not recommend this) you can comment out the document type declaration in your input.

More Related Contents:

  1. Reading Xml with XmlReader in C#
  2. Convert XML String to Object
  3. What is the best way to parse (big) XML in C# Code?
  4. xml.LoadData – Data at the root level is invalid. Line 1, position 1
  5. Appending an existing XML file with XmlWriter
  6. How do I convert an ISO8601 TimeSpan to a C# TimeSpan?
  7. How to write a Parser in C#? [closed]
  8. Deciding on when to use XmlDocument vs XmlReader
  9. Read a XML (from a string) and get some fields – Problems reading XML
  10. How to convert XML to JSON using C#/LINQ?
  11. Reading large XML documents in .net
  12. There is no Unicode byte order mark. Cannot switch to Unicode
  13. How to monitor/wait on array of objects?
  14. Starting form to appear before the next form
  15. Casting vs using the ‘as’ keyword in the CLR
  16. What is the ‘dynamic’ type in C# 4.0 used for?
  17. JavaScriptSerializer.Deserialize – how to change field names
  18. Format an Excel column (or cell) as Text in C#?
  19. How do I restart a WPF application? [duplicate]
  20. Replacing a char at a given index in string? [duplicate]
  21. How to force a WPF binding to refresh?
  22. Read last line of text file
  23. The State of Linkers for .NET apps (aka “Please Sir, May I have a Linker” 2009 edition)
  24. thread with multiple parameters
  25. How can I include line numbers in a stack trace without a pdb?
  26. Data binding for TextBox
  27. JsonConvert.Deserializer indexing issues
  28. Create object instance of a class from its name in string variable
  29. Redirect to another page when user is not authorized in asp.net mvc3
  30. How to debug “Could not load file or assembly” runtime errors?

Leave a Comment